Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
Resource
win10v2004-20241007-en
General
-
Target
34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe
-
Size
2.6MB
-
MD5
bbf43291083500c1aa9195023fb8038c
-
SHA1
9fe366b06a5eda3b7e58fbfb3e4cbfcca499edf1
-
SHA256
d0608ed4f5d17b8e9fe55fd59f06f51c3be3a850d0a9edb83b096aeac4296515
-
SHA512
577282a24e7dab7994308f36e95e2fd0665f8866170d810503cd0f6a2dbf3022d9e5d30ccfc352596ed917b54fc7a07f891446cd0a0e0902ff31e4b93fff24f7
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBeB/bS5:sxX7QnxrloE5dpUpZbg
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe -
Executes dropped EXE 2 IoCs
pid Process 1076 ecadob.exe 5084 xbodloc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2R\\xbodloc.exe" 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8I\\dobaec.exe" 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecadob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe 1076 ecadob.exe 1076 ecadob.exe 5084 xbodloc.exe 5084 xbodloc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5032 wrote to memory of 1076 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 87 PID 5032 wrote to memory of 1076 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 87 PID 5032 wrote to memory of 1076 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 87 PID 5032 wrote to memory of 5084 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 90 PID 5032 wrote to memory of 5084 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 90 PID 5032 wrote to memory of 5084 5032 34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe"C:\Users\Admin\AppData\Local\Temp\34c0bd66785d17ff4bc9dec2b2f7998f80ed9ee85c2c835e9b1d47bf1a73c1e6N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1076
-
-
C:\Adobe2R\xbodloc.exeC:\Adobe2R\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c90d6a36c4003714c0d8ff1a76c07712
SHA128593530449cb940e93920e82ff4e78b1c1bc93b
SHA25695d38a02bed3064364d4a067e4b085d244472222aa201666013a925b48b3e0f6
SHA5124035df6bd79f366b39a318aab4c26fb0b754a4512d773856a362480064d972e6969c338ed46d5dae9053f50693864afed8ec73fe9b9b5876e4ad456bf0c4e88d
-
Filesize
197B
MD5866e640905701764d5dc13cfc014e9ac
SHA11f7bd6fbca4813bc7b8ba391da6540cc315f8d82
SHA25658f6e33b3e720d4166d81cc1c6d3060573aa6ea178c194111ecac74b67a45aae
SHA5122bfcac98470e27f4a3312ff6d0ba3aa4d28f583b2830f8cf42c18daa9d374621b4e22ed1841da41887c88858917b7a712ffbb8cdb5e43b02b772aaf1b3f2d59b
-
Filesize
165B
MD5c45cedcfb6f3705734821193e9edd249
SHA151a9e452db15153363aefe32746109ac949d8806
SHA256ae2491e91fcdda13b59188ae4a4cfd882c2ce5e1033b22ae65c91cebca9e690b
SHA51221b2ed4c1e2c29666c61e115ae31753d158144d41d3edebc622aabb1572b6dc02098077d94e4b0a38f24b61f7a128b26d7675331dc45253175ec440d2f21ae65
-
Filesize
2.6MB
MD53e064563d6efda5d0bebdd22cb763538
SHA120385b93fe8375153c32aa9526eef83778031e2e
SHA2565f325226ca6b6a14e7110d65974a52444f6098d1ec23dfd05b72264fef628892
SHA5120b6866c07b9c906d8d3779fdcb43e74a8da88985a75827dad7dd3a09441aa6d402e6aff4b7753684c17ccba5e0745108e5f1c48efddd68bf2e3fa3ac84fcbb3e
-
Filesize
109KB
MD51dc564368666ae3d07f1eab8a3fcef8d
SHA108406dc2148796ef6b28846eca4603bdafd942ad
SHA25666ba85659792ef388c2945a4375ffad35597aa6beb01ab8304e91e9a8a77a981
SHA512935fa6d5b9f12b2780eefc61d6cbd388cacda152585bff3741f099dc71c742739dfd47ac5e8793ae8e94546257de357cbf7794868537b4312c00883b0d432628
-
Filesize
159KB
MD569d5d8a5560a569d4b62991e3ff1e5e9
SHA1ca80bff24ce364fa2f4c6fd68c798726c224500a
SHA256c819e33858d1a1135119da386dc51661820900c8eb1d72966a7ee1833b7eff95
SHA5125813a83da0e87f30293bf3a838af171225bea1d87e929a588d160008634712911192e87ee9c8860089b8d408d0f17ea963ada5f12a1f407e5d1b3b2d8b634cbe